SiteMinder wrongly sets the user's account to admin disabled in AD user store (with Enhanced AD Integration on) rather than setting the account status to locked-out due to maximum allowed login attempts when -
The expected behavior is that the account gets locked and not admin disabled, because if accounts get set to admin disabled on max login failures, there is no way to identify if a user was disabled by HR for administrative purposes, or if the user was simply locked out from retrying a password too many times.
IMPORTANT: This article contains information about modifying the registry.
Before you modify the registry, make sure to create back up of the registry and ensure that you understand how to restore the registry if a problem may occur.
For more information about how to back up, restore, and edit the registry, please review the relevant Microsoft Knowledge Base articles on support.microsoft.com.
Beginning with siteminder Policy server 6.0-SP5-CR35 onwards, A new registry key 'ADLockoutMode' is added which when set to 1; the behavior will change to locking the user instead of disabling it in AD when max number of tries exceeded.